| CyberScoop
cyberscoop.com/
By
Matt Kapko
January 22, 2026
Ianis Antropenko, a Russian national living in California, admitted to committing ransomware attacks against at least 50 victims. He faces up to 25 years in jail.
Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.
Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.
Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.
Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.
While most cybercriminals, especially those involved in ransomware, are held in jail pending trial because of a flight risk, Antropenko was granted bail the day of his arrest.
This rare flash of deferment in a case involving a prolific cybercriminal is even more shocking considering his multiple run-ins with police since then. Antropenko violated conditions for his pretrial release at least three times in a four-month period last year, including two arrests in Southern California involving dangerous behavior while under the influence of drugs and alcohol.
As part of his plea agreement, Antropenko recognized that pleading guilty could impact his immigration status since the crimes he committed are removable offenses.
Court records don’t indicate if Antropenko has been detained pending sentencing, and his sentencing hasn’t been scheduled. His attorney and federal prosecutors working on his case did not respond to requests for comment.
Antropenko admitted to leading the ransomware conspiracy with the aid of multiple co-conspirators, including some who lived outside the U.S.
His ex-wife, Valeriia Bednarchik, was previously implicated by the FBI and prosecutors as one of his alleged co-conspirators involved in the laundering of ransomware proceeds.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
Bednarchik, who also lives in Southern California, has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities previously indicated they plan to bring charges against her, no cases are currently pending.
Antropenko, who previously pleaded not guilty to the charges in October 2025, used multiple ransomware variants to commit attacks, including Zeppelin and GlobeImposter. The ransomware operation he led caused losses of at least $1.5 million to victims, according to court records.
Yet, the spoils of his crimes appear to be much greater. The Justice Department seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. Authorities seized an additional $595,000 in cryptocurrency from a wallet Antropenko owned in July 2025.
pcmag.com
Michael Kan
Senior Reporter
UPDATE 1/24: The hacking group World Leaks claims to have stolen 1.4TB of data from Nike, according to a post on the gang's website.
The stolen data covers 188,000 files. But a cursory look suggests that World Leaks looted internal files about Nike's clothing manufacturing business, rather than any customer or employee information. For example, a few of the folders have been titled "Garment making process," "Nike Apparel tools" and "Women's Lifestyle." Another set of folders have been titled with the Chinese language.
The data
(World Leaks)
We've reached out to Nike for comment and we'll update the story if we hear back.
Original story:
Nike is investigating a possible data breach after a hacking group listed the fashion brand as one of its latest victims.
On Thursday, cybersecurity researchers spotted World Leaks posting on the dark web about breaching Nike. It's unclear what they stole; for now, the group’s post shows only a countdown clock, indicating that World Leaks plans to reveal more on Saturday morning.
In response, Nike told PCMag: “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.”
According to cybersecurity firms, World Leaks operates as an extortion group that loots data from companies to force them to pay up, or else it’ll leak the stolen information. The group previously operated as “Hunters International,” and focused on delivering ransomware to encrypt victim computers. But last year, following increased scrutiny from law enforcement, the gang rebranded as World Leaks and pivoted to extortion-only tactics.
“They typically gain initial access through phishing campaigns, compromised credentials, or exploitation of exposed services,” according to cybersecurity vendor Blackpoint Cyber. “Once inside, they perform data discovery and exfiltration, prioritizing confidential corporate or personal information.”
WorldLeaks sites
(Credit: World Leaks)
Still, it’s possible that World Leaks stole inconsequential data from Nike. The group has already listed 114 other victims; it claims to have stolen 1.3TB of data from Dell. But the PC maker says World Leaks merely infiltrated a platform the company uses to demo products to prospective clients. As a result, the hackers were only able to access and steal an outdated contact list.
databreaches.net/
Posted on January 24, 2026 by Dissent
Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.
According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:
Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount
Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.
Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.
Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).
When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.
A check of Call-On-Doc’s website reveals the following statement in its FAQ:
Q: Is my payment and medical information safe with Call-On-Doc?
A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.
According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?
Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.
Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.
DataBreaches emailed its support@ email address on Friday. There was no reply.
If these are real data, there are several questions regulators may investigate.
According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.
Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.
DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.
One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.
This post may be updated when Call-On-Doc responds or more information becomes available.
If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.
therecord.media
Daryna Antoniuk
January 23rd, 2026
Germany’s Dresden State Art Collections, one of Europe’s oldest museum networks, has been hit by a targeted cyberattack that disrupted large parts of its digital infrastructure, the state of Saxony’s culture ministry said this week.
The attack, discovered on Wednesday, has left the museum group with limited digital and phone services. Online ticket sales, visitor services, and the museum shop are currently unavailable, and payments at museum sites can only be made in cash. Tickets purchased online before the incident remain valid and can still be scanned on site.
Despite the disruption, the museums remain open to visitors. The culture ministry said security systems protecting the collections were not affected and that both physical and technical security remain fully intact.
The Dresden State Art Collections, known as SKD, said it is unclear when all affected systems will be fully restored. As of Friday, the institution was still operating under restrictions, with no new updates on the incident, local media reported, citing an SKD spokesperson.
Officials have not said who carried out the attack or what their motives may have been. It is also unclear whether the incident involved a ransom demand or whether any negotiations with the attackers are underway.
The Dresden State Art Collections oversee about 15 museums, housing works by artists such as Raphael and Rembrandt, as well as the famed Green Vault, one of Europe’s richest treasure chambers, known for its royal jewels and goldwork.
Cultural institutions have increasingly become targets for cybercriminals in recent years. In 2023, Canada’s national art museum spent weeks restoring systems after a ransomware attack, while in 2022 the Metropolitan Opera in New York suffered a cyberattack that disrupted ticketing and box office operations during the busy holiday season.
Major libraries have also drawn the attention of hackers, prompting U.S. officials to launch a program to help such institutions protect themselves from cyberattacks. In 2023, ransomware crippled the systems of the British Library, one of the world’s largest and the national library of the United Kingdom. In Canada, the Toronto Public Library spent months recovering from a ransomware attack, describing the incident as a “crime scene.”
Clothing retailer Under Armour is investigating a recent data breach that purloined customers’ email addresses and other personal information, but so far there are no signs the hackers stole any passwords or financial information.
The breach is believed to have happened late last year, and affected 72 million email addresses, according to information cited by the cybersecurity website Have I Been Pwned. Some of the records taken also included personal information that included names, genders, birthdates and ZIP codes.
In an Under Armour statement acknowledging its investigation into the claims of a data breach, the Baltimore-based company said: “We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords. Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.”
Have I Been Pwned CEO Troy Hunt said that he agrees with Under Armour’s assertion, based on the information that has emerged so far. But he also said he was surprised by the lack of an official disclosure statement from the company.
